Daily email report of all new Azure resources created, their owner/creator, and estimated cost.

Management type email report (costs and user who created all new resources within a timeframe) using Azure Automation runbooks, PowerShell and SendGrid.

Posted on 21 July, 2019

Ever wanted a simple breakdown report/email of all new Azure resources/objects created within a fixed timeframe? Want to know who created the resource and how much it might cost for the month? Then read on….

Overview

When senior management, the ones paying the Azure pay-as-you-go costs each month, suddenly want to know why they’re spending 10k a month on a high-spec SQL VM, you’ll soon find that who created this and when is difficult information to retrieve from Azure….especially if the resource was created more than 90 days ago.

Objects and resources created in Azure don’t have a “created date” property (for details on how to resolve this see previous post: CreatedOnDate tag for all resources in Azure using Azure Policy). They also don’t have a “created by” user property, but this info can be scraped from Azure Monitor logs within 90 days.

Combining these two properties and adding an estimated cost, we can keep management happy knowing that resources created were pre-approved and that costs have been justified.

Setup the daily report

SendGrid

Create a SendGrid account in Azure, if you don’t already have one. I’m using the free tier of SendGrid in my Azure subscription. There are some limitations around advanced security, but for the purposes of a single daily email it suffices.

Azure Automation Runbook - Email-SendGrid

I’m using a Runbook for SendGrid that can be re-used by providing parameters from another Runbook, so it’s not limited to just this solution.

Retrieve the username from your SendGrid account:

Use this username, and the password you set when creating the SendGrid account, to create credentials in the Azure Automation account:

Create a new Runbook in your Automation Account, called Email-SendGrid

# Your Automation credentials that have ReadOnly rights to all subscriptions$AzROAccount="AzReadOnlyAccount@domain.co.uk"# Recipients to receive the report$EmailRecipients="Jack.Rudlin@domain.co.uk","Jack.Test@domain.org.uk"# Automation account details and name of the runbook created for the SendGrid email$AutomationAccount='Azure Automation Account Name'$AutomationAccountRG='Azure Automation Account RG'$Runbook='Email-SendGrid'

You will also need an Automation Account AzureRunAsConnection which only needs permissions to run Runbooks. Remember, when you create a RunAsAccount for the first time it will give itself Contributor rights on your subscription, so you should change this.